Configure Microsoft Entra ID SAML SSO for Synaccess Cloud
This guide explains how to connect Synaccess Cloud to Microsoft Entra ID, formerly Azure Active Directory, using SAML 2.0.
Prerequisites
- A Synaccess Cloud enterprise administrator account.
- A Microsoft Entra administrator role that can create and configure enterprise applications. Microsoft documents Cloud Application Administrator, Application Administrator, or owner of the service principal for SSO setup.
- Users must either already exist in Synaccess Cloud with matching email addresses, or just-in-time provisioning must be enabled for the Synaccess enterprise.
- Keep at least one break-glass administrator account available before enforcing SSO-only sign-in.
Field Mapping
Copy these values from Synaccess Cloud into Microsoft Entra ID:
| Synaccess Cloud value | Microsoft Entra field |
|---|---|
| Assertion Consumer Service (ACS) URL | Reply URL (Assertion Consumer Service URL) |
| Service Provider Entity ID | Identifier (Entity ID) |
Copy these values from Microsoft Entra ID back into Synaccess Cloud:
| Microsoft Entra value | Synaccess Cloud field |
|---|---|
| Microsoft Entra Identifier | Identity Provider Issuer |
| Login URL | SAML SSO Login URL |
| Certificate (Base64) | SAML certificate |
Synaccess Cloud does not currently use the Entra Logout URL.
Step 1: Copy Synaccess Cloud SAML Values
- Sign in to Synaccess Cloud as an enterprise administrator.
- Go to Team > SAML.
- Copy the Assertion Consumer Service (ACS) URL.
- Copy the Service Provider Entity ID.
The ACS URL is where Entra posts the SAML response. It is enterprise-specific and uses this shape:
https://cloud.synaccess.com/sso/saml/<enterprise_id>The Service Provider Entity ID is the Synaccess Cloud application origin for the environment:
https://cloud.synaccess.comDo not use the Microsoft Entra Identifier as the Identifier (Entity ID) in Entra. Entra's Identifier field is asking for the Synaccess service provider entity ID.
Step 2: Create the Entra Enterprise Application
- Open the Microsoft Entra admin center or Azure portal.
- Go to Entra ID > Enterprise apps > New application.
- Select Create your own application.
- Enter a recognizable name, such as
Synaccess Cloud. - Select Integrate any other application you don't find in the gallery (Non-gallery).
- Select Create.
This enterprise application flow is the correct path for a custom SAML integration. Do not use App registrations for this setup unless you are building an OAuth/OIDC application instead.
Step 3: Assign Users or Groups
- Open the new enterprise application.
- Go to Users and groups.
- Select Add user/group.
- Assign the users, or groups if your tenant licensing and policy allow group assignment.
For initial testing, assign one known test user whose Synaccess Cloud email address exactly matches the SAML Name ID you will send from Entra.
Step 4: Configure SAML in Entra
- In the enterprise application, go to Single sign-on.
- Select SAML.
- In Basic SAML Configuration, select Edit.
- Set Identifier (Entity ID) to the Synaccess Cloud Service Provider Entity ID.
- Set Reply URL (Assertion Consumer Service URL) to the Synaccess Cloud ACS URL.
- Leave Relay State and Logout URL blank unless you have a specific policy requiring them.
- Leave Sign on URL blank for the basic Synaccess setup. If your tenant requires a value or you want the app tile to open Synaccess Cloud, use the Synaccess sign-in URL, such as
https://cloud.synaccess.com/saml-login. - Save the configuration.
For Synaccess Cloud, the required Basic SAML Configuration values are Identifier (Entity ID) and Reply URL. Sign on URL is optional and is not the ACS URL.
Step 5: Configure Attributes and Claims
Synaccess Cloud uses the SAML Name ID as the user's email address. The backend looks up the returned Name ID against the user's Synaccess Cloud email.
- In the SAML setup page, open Attributes & Claims.
- Edit Unique User Identifier (Name ID).
- Set the identifier format to Email address when available.
- Set Source attribute to the value that matches the user's Synaccess Cloud email:
- Use
user.mailwhen the Entra mail field is populated and matches the Synaccess Cloud email. - Use
user.userprincipalnameonly when the user's UPN is the same value used as their Synaccess Cloud email.
- Use
- Save the claim.
The default additional claims for email address, given name, surname, and name can remain. Synaccess Cloud does not currently require those additional claims for SAML login.
Do not use objectid, pairwiseid, or another stable opaque identifier as Name ID unless Synaccess Cloud user records are changed to store and match that identifier. Today, Synaccess expects an email-like Name ID.
Step 6: Download the Signing Certificate
- Return to the Entra SAML setup page.
- In SAML Certificates, download Certificate (Base64).
- Open the downloaded certificate in a text editor.
- Copy the full certificate into Synaccess Cloud's SAML certificate field.
The certificate may include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Keep them if they are present. Do not paste a private key.
Track the certificate expiration date. When the Entra token-signing certificate expires or is rotated, update the certificate in Synaccess Cloud before users depend on the new certificate.
Step 7: Copy Entra Values into Synaccess Cloud
In the Set up section of the Entra SAML page, copy:
- Microsoft Entra Identifier.
- Login URL.
Then return to Synaccess Cloud > Team > SAML:
- Paste Microsoft Entra Identifier into Identity Provider Issuer.
- Paste Login URL into SAML SSO Login URL.
- Paste the downloaded certificate into SAML certificate.
- Save changes.
- Enable SAML access.
After a successful test, decide whether to enable Require SSO for sign-in in Synaccess Cloud team settings. Do this only after confirming at least one administrator can still get in.
Step 8: Test the Login Flow
For the most reliable test, use a private browser window.
- Go to the Synaccess Cloud SAML login page, such as
https://cloud.synaccess.com/saml-login. - Enter the assigned user's email address.
- Synaccess Cloud redirects the browser to Entra with a SAML authentication request.
- Sign in with Microsoft credentials.
- Entra posts the SAML response back to the Synaccess ACS URL.
- Synaccess Cloud signs the user in if the Name ID matches an existing user, or if just-in-time provisioning is enabled and allowed for the enterprise.
You can also test from the Entra SAML page, but Synaccess-initiated login is usually the cleaner test because Synaccess generates the SAML request and includes its expected Name ID policy.
Corrections and Clarifications
- Basic SAML Configuration: yes, for Synaccess Cloud the required values are Identifier (Entity ID) and Reply URL (ACS URL). Sign on URL is optional.
- Identifier (Entity ID): use the Synaccess Cloud Service Provider Entity ID, not the Microsoft Entra Identifier.
- Reply URL: use the Synaccess Cloud ACS URL exactly as shown.
- Unique User Identifier (Name ID):
user.mailis correct only if it matches the Synaccess Cloud email for every assigned user. Otherwise use the Entra attribute that does match. - Certificate: pasting the full Base64 certificate with or without PEM begin/end lines is acceptable in the current Synaccess configuration. Prefer keeping the downloaded file's original format.
- Synaccess Identity Provider Issuer: use Microsoft Entra Identifier.
- Synaccess SAML SSO Login URL: use Entra Login URL.
- Logout URL: not used by Synaccess Cloud today.
Troubleshooting
| Symptom | Likely cause | What to check |
|---|---|---|
| Entra says the reply URL is invalid or mismatched | The ACS URL in Entra does not exactly match Synaccess Cloud | Check scheme, host, path, enterprise ID, and trailing slash |
| Synaccess shows Unauthorized after Entra redirects back | Name ID does not match a Synaccess user and JIT provisioning is off | Inspect the Name ID claim and the user's Synaccess Cloud email |
| User can authenticate in Entra but cannot access the app | User is not assigned or app assignment policy blocks access | Check Users and groups and Entra sign-in logs |
| SAML login fails after certificate rotation | Synaccess has the old Entra signing certificate | Download the current Entra certificate and update Synaccess |
| Direct Entra Login URL does not work as a bookmark | Raw IdP URL lacks Synaccess's SP-initiated request context | Start from https://cloud.synaccess.com/saml-login |
| Local testing redirects to the wrong host after first-time JIT provisioning | Current code has a hard-coded production redirect in one JIT path | Test with an existing user or verify in production before relying on local JIT behavior |
References
- Microsoft Learn: Quickstart: Add an enterprise application
- Microsoft Learn: Enable SAML single sign-on for an enterprise application
- Microsoft Learn: Quickstart: Create and assign a user account
- Microsoft Learn: Customize SAML token claims